$$ \text{بِسْمِ اللَّهِ الرَّحْمَنِ الرَّحِيمِ} $$
I'm Ahmed Farag , Bug Hunter at HackerOne
occurs when user-controlled input is embedded into a server-side template, allowing users to inject template directives. This allows an attacker to inject malicious template directives and possibly execute arbitrary code on the affected server.
Template engines : are designed to generate web pages by combining fixed templates with volatile data.
How can SSTI occur ? → when user input is concatenated directly into a template rather than passed in as data
attacker can potentially achieve remote code execution (RCE), taking full control of the back-end server and using it to perform other attacks on internal infrastructure.
Even in cases where full remote code execution is not possible : attacker can use SSTI to read a sensitive data and files.
$output = $twig->render("Dear {first_name},", array("first_name" => $user.first_name) );
is Not vulnerable because user input is passed as data
$output = $twig->render("Dear " . $_GET['name']);
vulnerable because instead of static value passed into template